phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the preg_replace (aka eval) modifier, which might allow remote attackers to execute arbitrary PHP code via a crafted string, as demonstrated by the table search-and-replace implementation.
46f778fd23af1e4e604d32a71ab007e759502445aee2fac99855d70658df179c
Gentoo Linux Security Advisory 201701-32 - Multiple vulnerabilities have been found in phpMyAdmin, the worst of which could lead to arbitrary code execution. Versions less than 4.6.5.1 are affected.
a3b7f6542c7661b4aaff9bd605cec15ffc932e03279fbf8e645a0b1dbc7d1f03